librpc/idl/krb5pac.idl

   1 /*
   2   krb5 PAC
   3 */
   4
   5 #include "idl_types.h"
   6
   7 import "security.idl", "lsa.idl", "netlogon.idl", "samr.idl";
   8
   9 [
  10   uuid("12345778-1234-abcd-0000-00000000"),
  11   version(0.0),
  12   pointer_default(unique),
  13   helpstring("Active Directory KRB5 PAC"),
  14   helper("../librpc/ndr/ndr_krb5pac.h")
  15 ]
  16 interface krb5pac
  17 {
  18         typedef struct {
  19                 NTTIME logon_time;
  20                 [value(2*strlen_m(account_name))] uint16 size;
  21                 [charset(UTF16)] uint8 account_name[size];
  22         } PAC_LOGON_NAME;
  23
  24         typedef [public,flag(NDR_PAHEX)] struct {
  25                 uint32 type;
  26                 [flag(NDR_REMAINING)] DATA_BLOB signature;
  27         } PAC_SIGNATURE_DATA;
  28
  29         typedef struct {
  30                 dom_sid2 *domain_sid;
  31                 samr_RidWithAttributeArray groups;
  32         } PAC_DOMAIN_GROUP_MEMBERSHIP;
  33
  34         typedef struct {
  35                 netr_SamInfo3 info3;
  36                 /*
  37                  * On ndr_push:
  38                  * Pointers values of info3.sids[*].sid
  39                  * should be allocated before the following ones?
  40                  * (just the 0x30 0x00 0x02 0x00 value).
  41                  */
  42                 PAC_DOMAIN_GROUP_MEMBERSHIP resource_groups;
  43         } PAC_LOGON_INFO;
  44
  45         typedef [bitmap32bit] bitmap {
  46                 PAC_CREDENTIAL_NTLM_HAS_LM_HASH = 0x00000001,
  47                 PAC_CREDENTIAL_NTLM_HAS_NT_HASH = 0x00000002
  48         } PAC_CREDENTIAL_NTLM_FLAGS;
  49
  50         typedef [public] struct {
  51                 [value(0)] uint32 version;
  52                 PAC_CREDENTIAL_NTLM_FLAGS flags;
  53                 [noprint] samr_Password lm_password;
  54                 [noprint] samr_Password nt_password;
  55         } PAC_CREDENTIAL_NTLM_SECPKG;
  56
  57         typedef [public] struct {
  58                 lsa_String package_name;
  59                 uint32 credential_size;
  60                 [size_is(credential_size), noprint] uint8 *credential;
  61         } PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG;
  62
  63         typedef [public] struct {
  64                 uint32 credential_count;
  65                 [size_is(credential_count)] PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG credentials[*];
  66         } PAC_CREDENTIAL_DATA;
  67
  68         typedef [public] struct {
  69                 PAC_CREDENTIAL_DATA *data;
  70         } PAC_CREDENTIAL_DATA_CTR;
  71
  72         typedef [public] struct {
  73                 [subcontext(0xFFFFFC01)] PAC_CREDENTIAL_DATA_CTR ctr;
  74         } PAC_CREDENTIAL_DATA_NDR;
  75
  76         typedef [public] struct {
  77                 [value(0)] uint32 version;
  78                 uint32 encryption_type;
  79                 [flag(NDR_REMAINING)] DATA_BLOB encrypted_data;
  80         } PAC_CREDENTIAL_INFO;
  81
  82         typedef struct {
  83                 lsa_String proxy_target;
  84                 uint32 num_transited_services;
  85                 [size_is(num_transited_services)] lsa_String *transited_services;
  86         } PAC_CONSTRAINED_DELEGATION;
  87
  88         typedef [bitmap32bit] bitmap {
  89                 PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
  90         } PAC_UPN_DNS_FLAGS;
  91
  92         typedef struct {
  93                 [value(2*strlen_m(upn_name))] uint16 upn_name_size;
  94                 [relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
  95                 [value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
  96                 [relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
  97                 PAC_UPN_DNS_FLAGS flags;
  98         } PAC_UPN_DNS_INFO;
  99
 100         typedef [public] struct {
 101                 PAC_LOGON_INFO *info;
 102         } PAC_LOGON_INFO_CTR;
 103
 104         typedef [public] struct {
 105                 PAC_CONSTRAINED_DELEGATION *info;
 106         } PAC_CONSTRAINED_DELEGATION_CTR;
 107
 108         typedef [public,v1_enum] enum {
 109                 PAC_TYPE_LOGON_INFO = 1,
 110                 PAC_TYPE_CREDENTIAL_INFO = 2,
 111                 PAC_TYPE_SRV_CHECKSUM = 6,
 112                 PAC_TYPE_KDC_CHECKSUM = 7,
 113                 PAC_TYPE_LOGON_NAME = 10,
 114                 PAC_TYPE_CONSTRAINED_DELEGATION = 11,
 115                 PAC_TYPE_UPN_DNS_INFO = 12
 116         } PAC_TYPE;
 117
 118         typedef struct {
 119                 [flag(NDR_REMAINING)] DATA_BLOB remaining;
 120         } DATA_BLOB_REM;
 121
 122         typedef [public,nodiscriminant,gensize] union {
 123                 [case(PAC_TYPE_LOGON_INFO)][subcontext(0xFFFFFC01)] PAC_LOGON_INFO_CTR logon_info;
 124                 [case(PAC_TYPE_CREDENTIAL_INFO)]        PAC_CREDENTIAL_INFO credential_info;
 125                 [case(PAC_TYPE_SRV_CHECKSUM)]   PAC_SIGNATURE_DATA srv_cksum;
 126                 [case(PAC_TYPE_KDC_CHECKSUM)]   PAC_SIGNATURE_DATA kdc_cksum;
 127                 [case(PAC_TYPE_LOGON_NAME)]     PAC_LOGON_NAME logon_name;
 128                 [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
 129                         PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
 130                 [case(PAC_TYPE_UPN_DNS_INFO)]   PAC_UPN_DNS_INFO upn_dns_info;
 131                 /* when new PAC info types are added they are supposed to be done
 132                    in such a way that they are backwards compatible with existing
 133                    servers. This makes it safe to just use a [default] for
 134                    unknown types, which lets us ignore the data */
 135                 [default]       [subcontext(0)] DATA_BLOB_REM unknown;
 136         } PAC_INFO;
 137
 138         typedef [public,nopush,nopull] struct {
 139                 PAC_TYPE type;
 140                 [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
 141                 /*
 142                  * We need to have two subcontexts to get the padding right,
 143                  * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
 144                  * the inner subcontext only uses _ndr_size.
 145                  *
 146                  * We do that in non-generated push/pull functions.
 147                  */
 148                 [relative,switch_is(type),subcontext(0),subcontext_size(NDR_ROUND(_ndr_size,8)),flag(NDR_ALIGN8)] PAC_INFO *info;
 149                 [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
 150         } PAC_BUFFER;
 151
 152         typedef [public] struct {
 153                 uint32 num_buffers;
 154                 uint32 version;
 155                 PAC_BUFFER buffers[num_buffers];
 156         } PAC_DATA;
 157
 158         typedef [public] struct {
 159                 PAC_TYPE type;
 160                 uint32 ndr_size;
 161                 [relative,subcontext(0),subcontext_size(NDR_ROUND(ndr_size,8)),flag(NDR_ALIGN8)] DATA_BLOB_REM *info;
 162                 [value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
 163         } PAC_BUFFER_RAW;
 164
 165         typedef [public] struct {
 166                 uint32 num_buffers;
 167                 uint32 version;
 168                 PAC_BUFFER_RAW buffers[num_buffers];
 169         } PAC_DATA_RAW;
 170
 171         const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3;
 172
 173         typedef [public] struct {
 174                 [value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType;
 175                 uint32 ChecksumLength;
 176                 int32 SignatureType;
 177                 uint32 SignatureLength;
 178                 [flag(NDR_REMAINING)] DATA_BLOB ChecksumAndSignature;
 179         } PAC_Validate;
 180
 181         [nopython] void decode_pac(
 182                 [in] PAC_DATA pac
 183                 );
 184
 185         [nopython] void decode_pac_raw(
 186                 [in] PAC_DATA_RAW pac
 187                 );
 188
 189         [nopython] void decode_login_info(
 190                 [in] PAC_LOGON_INFO logon_info
 191                 );
 192
 193         [nopython] void decode_login_info_ctr(
 194                 [in] PAC_LOGON_INFO_CTR logon_info_ctr
 195                 );
 196
 197         [nopython] void decode_credential_data_ndr(
 198                 [in] PAC_CREDENTIAL_DATA_NDR credential_data_ndr
 199                 );
 200
 201         [nopython] void decode_upn_dns_info(
 202                 [in] PAC_UPN_DNS_INFO upn_dns_info
 203                 );
 204
 205         [nopython] void decode_pac_validate(
 206                 [in] PAC_Validate pac_validate
 207                 );
 208
 209         /* used for samba3 netsamlogon cache */
 210         typedef [public] struct {
 211                 time_t timestamp;
 212                 netr_SamInfo3 info3;
 213         } netsamlogoncache_entry;
 214 }